From owner-svn-doc-head@FreeBSD.ORG Fri Jan 31 18:43:30 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2375AE1B; Fri, 31 Jan 2014 18:43:30 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0D45D1DFC; Fri, 31 Jan 2014 18:43:30 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0VIhU9V046135; Fri, 31 Jan 2014 18:43:30 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0VIhTJ9046134; Fri, 31 Jan 2014 18:43:29 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201401311843.s0VIhTJ9046134@svn.freebsd.org> From: Dru Lavigne Date: Fri, 31 Jan 2014 18:43:29 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43708 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jan 2014 18:43:30 -0000 Author: dru Date: Fri Jan 31 18:43:29 2014 New Revision: 43708 URL: http://svnweb.freebsd.org/changeset/doc/43708 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 17:03:23 2014 (r43707) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 18:43:29 2014 (r43708) @@ -113,9 +113,9 @@ - The <application>inetd</application> + <title>The <application>inetd</application> Super-Server - + - - The &man.inetd.8; daemon is sometimes referred to as a - Super-Server because it manages - connections for many services. Instead of starting multiple - applications, only the inetd service - needs to be started. When a connection is received - for a service that is managed by inetd, it determines which - program the connection is destined for, spawns a - process for that program, and delegates the program a socket. - Using inetd - for services that are not heavily used can reduce - system load, when compared to running each daemon individually - in stand-alone mode. - - Primarily, inetd is used to - spawn other daemons, but several trivial protocols are handled - internally, such as chargen, - auth, - time, - echo, - discard, and - daytime. - This section covers the basics of configuring - inetd. + The &man.inetd.8; daemon is sometimes referred to as a + Super-Server because it manages connections for many services. + Instead of starting multiple applications, only the + inetd service needs to be started. + When a connection is received for a service that is managed by + inetd, it determines which program + the connection is destined for, spawns a process for that + program, and delegates the program a socket. Using + inetd for services that are not + heavily used can reduce system load, when compared to running + each daemon individually in stand-alone mode. + + Primarily, inetd is used to + spawn other daemons, but several trivial protocols are handled + internally, such as chargen, + auth, + time, + echo, + discard, and + daytime. + + This section covers the basics of configuring + inetd. Configuration File Configuration of inetd is - done by editing /etc/inetd.conf. Each line of this configuration file represents an application + done by editing /etc/inetd.conf. Each + line of this configuration file represents an application which can be started by inetd. By default, every line starts with a comment - (#), meaning that inetd - is not listening for any applications. To configure - inetd to listen for an application's - connections, remove the # at the beginning of - the line for that application. - - After saving your edits, configure inetd - to start at system boot by editing /etc/rc.conf: + (#), meaning that + inetd is not listening for any + applications. To configure inetd + to listen for an application's connections, remove the + # at the beginning of the line for that + application. + + After saving your edits, configure + inetd to start at system boot by + editing /etc/rc.conf: inetd_enable="YES" - To start - inetd now, so that it listens for - the service you configured, type: + To start inetd now, so that it + listens for the service you configured, type: &prompt.root; service inetd start @@ -192,16 +193,17 @@ Configuration File &prompt.root; service inetd reload - + Typically, the default entry for an application does not - need to be edited beyond removing the #. + need to be edited beyond removing the #. In some situations, it may be appropriate to edit the default entry. - As an example, this is the default entry for &man.ftpd.8; over IPv4: + As an example, this is the default entry for &man.ftpd.8; + over IPv4: - ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l + ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l The seven columns in an entry are as follows: @@ -220,13 +222,13 @@ server-program-argumentsservice-name - The service name of the daemon to start. - It must correspond to a service listed in + The service name of the daemon to start. It must + correspond to a service listed in /etc/services. This determines which port inetd listens on - for incoming connections to that service. - When using a custom service, it must first be - added to /etc/services. + for incoming connections to that service. When using a + custom service, it must first be added to + /etc/services. @@ -236,8 +238,8 @@ server-program-arguments Either stream, dgram, raw, or - seqpacket. Use stream - for TCP connections and + seqpacket. Use + stream for TCP connections and dgram for UDP services. @@ -286,7 +288,8 @@ server-program-arguments udp46 - Both UDP IPv4 and IPv6 + Both UDP IPv4 and + IPv6 @@ -304,42 +307,40 @@ server-program-argumentsmax-connections-per-ip-per-minute and are optional. - indicates whether or not the - service is - able to handle its own socket. + indicates whether or + not the service is able to handle its own socket. socket types must use the - option while - daemons, which are usually multi-threaded, should use - . usually - hands off multiple sockets to a single daemon, while - spawns a child daemon for each - new socket. + option while + daemons, which are usually + multi-threaded, should use . + usually hands off multiple sockets + to a single daemon, while spawns + a child daemon for each new socket. The maximum number of child daemons inetd may spawn is set by - . For example, to limit - ten instances of the daemon, place a - /10 after - . Specifying + . For example, to limit ten + instances of the daemon, place a /10 + after . Specifying /0 allows an unlimited number of children. limits the number of connections from any particular - IP address per minute. Once the limit - is reached, further connections from this IP address - will be dropped until the end of the minute. For example, a value - of /10 would limit any particular IP - address to ten - connection attempts per minute. - limits the number of child processes that can be started on - behalf on any single IP address at - any moment. These options can limit - excessive resource - consumption and help to prevent Denial of Service attacks. + IP address per minute. Once the + limit is reached, further connections from this IP + address will be dropped until the end of the minute. + For example, a value of /10 would + limit any particular IP address to + ten connection attempts per minute. + limits the number of + child processes that can be started on behalf on any + single IP address at any moment. + These options can limit excessive resource consumption + and help to prevent Denial of Service attacks. - An example can be seen in the default - settings for &man.fingerd.8;: + An example can be seen in the default settings for + &man.fingerd.8;: finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s @@ -361,10 +362,9 @@ server-program-argumentsserver-program - The full path to the daemon. - If the daemon is a service - provided by inetd internally, - use . + The full path to the daemon. If the daemon is a + service provided by inetd + internally, use . @@ -372,11 +372,9 @@ server-program-argumentsserver-program-arguments - Used to - specify any command - arguments to be - passed to the daemon on invocation. If - the daemon is an internal service, use + Used to specify any command arguments to be passed + to the daemon on invocation. If the daemon is an + internal service, use . @@ -387,17 +385,17 @@ server-program-argumentsCommand-Line Options Like most server daemons, inetd - has a number of options that can be used to - modify its behaviour. By default, - inetd is started with - -wW -C 60. These options enable TCP wrappers for - all services, including internal services, and prevent any - IP address from requesting any - service more than 60 times per minute. - - To change the default options which are passed to inetd, - add an entry for inetd_flags in - /etc/rc.conf. If + has a number of options that can be used to modify its + behaviour. By default, inetd is + started with -wW -C 60. These options + enable TCP wrappers for all services, including internal + services, and prevent any IP address from + requesting any service more than 60 times per minute. + + To change the default options which are passed to + inetd, add an entry for + inetd_flags in + /etc/rc.conf. If inetd is already running, restart it with service inetd restart. @@ -409,9 +407,10 @@ server-program-arguments Specify the default maximum number of simultaneous - invocations of each service, where the default is unlimited. - May be overridden on a per-service basis by using - in /etc/inetd.conf. + invocations of each service, where the default is + unlimited. May be overridden on a per-service basis by + using in + /etc/inetd.conf. @@ -421,8 +420,8 @@ server-program-arguments Specify the default maximum number of times a service can be invoked from a single - IP address per minute. May be overridden on a per-service basis - by using + IP address per minute. May be + overridden on a per-service basis by using in /etc/inetd.conf. @@ -433,7 +432,8 @@ server-program-arguments Specify the maximum number of times a service can be - invoked in one minute, where the default is 256. A rate of 0 + invoked in one minute, where the default is + 256. A rate of 0 allows an unlimited number. @@ -446,13 +446,14 @@ server-program-argumentsIP address at any one time, where the default is unlimited. May be overridden on a per-service basis by using - in /etc/inetd.conf. + in + /etc/inetd.conf. - Additional options are available. Refer to &man.inetd.8; for - the full list of options. + Additional options are available. Refer to &man.inetd.8; + for the full list of options. @@ -460,19 +461,18 @@ server-program-argumentsMany of the daemons which can be managed by inetd are not security-conscious. - Some daemons, such as - fingerd, can - provide information that may be useful to an - attacker. Only enable the services which are needed and - monitor the system for excessive connection attempts. + Some daemons, such as fingerd, can + provide information that may be useful to an attacker. Only + enable the services which are needed and monitor the system + for excessive connection attempts. max-connections-per-ip-per-minute, max-child and max-child-per-ip can be used to limit such attacks. By default, TCP wrappers is enabled. Consult - &man.hosts.access.5; for more information on - placing TCP restrictions on various + &man.hosts.access.5; for more information on placing TCP + restrictions on various inetd invoked daemons. @@ -657,28 +657,28 @@ mountd_flags="-r" read-only, preventing clients from making any changes to those exported file systems. - The next example exports - /home to three clients - by IP address. This can be useful for - networks without DNS. Optionally, - /etc/hosts could be configured for - internal hostnames; please review &man.hosts.5; for more - information. The -alldirs flag allows - subdirectories to be mount points. In other words, it will - not mount the subdirectories but permit the client to mount - only the directories that are required or needed. + The next example exports /home to + three clients by IP address. This can be + useful for networks without DNS. + Optionally, /etc/hosts could be + configured for internal hostnames; please review &man.hosts.5; + for more information. The -alldirs flag + allows subdirectories to be mount points. In other words, it + will not mount the subdirectories but permit the client to + mount only the directories that are required or needed. /home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4 - This next line exports - /a so that two clients - from different domains may access the file system. The - flag allows the - root user on the remote system to write - data on the exported file system as root. - If the -maproot=root flag is not specified, - the client's root user will be mapped to - the server's nobody account and will be + This next line exports /a so that two + clients from different domains may access the file system. + The flag allows the + root user on the + remote system to write data on the exported file system as + root. If the + -maproot=root flag is not specified, the + client's root user + will be mapped to the server's nobody account and will be subject to the access limitations defined for user, nobody. @@ -692,16 +692,16 @@ mountd_flags="-r" the export information for one file system to one or more clients. A remote host can only be specified once per file system. For example, assume that - /usr is a single file - system. This entry, in /etc/exports, - would be invalid: + /usr is a single file system. This + entry, in /etc/exports, would be + invalid: # Invalid when /usr is one file system /usr/src client /usr/ports client - The /usr file - system has two lines specifying exports to the same host, + The /usr file system has two lines + specifying exports to the same host, client. The correct format for this situation is: @@ -713,9 +713,8 @@ mountd_flags="-r" system. The following is an example of a valid export list, where - /usr and - /exports are local - file systems: + /usr and /exports + are local file systems: # Export src and ports to client01 and client02, but only # client01 has root privileges on it @@ -739,7 +738,8 @@ mountd_flags="-r" On a new server being configured with NFS services, the server can be started by - running this command as root: + running this command as root: &prompt.root; service nfsd start @@ -750,9 +750,10 @@ mountd_flags="-r" The client now has everything it needs to mount a remote file system. In these examples, the server's name is server and the client's name is - client. For testing or to temporarily mount - a remote file system, execute mount - as root on + client. For testing or to + temporarily mount a remote file system, execute + mount as root on client: @@ -762,16 +763,16 @@ mountd_flags="-r" &prompt.root; mount server:/home /mnt This mounts the server: - /home file system to - the client: - /mnt mount point. The - files and directories in the server - /home file system will - now be available on client, in the + /home file system to the + client: + /mnt mount point. The files and + directories in the server + /home file system will now be available + on client, in the /mnt directory. - To mount a remote file system each time the client - boots, add it to /etc/fstab: + To mount a remote file system each time the client boots, + add it to /etc/fstab: server:/home /mnt nfs rw 0 0 @@ -786,8 +787,8 @@ mountd_flags="-r" require file locking to operate correctly. In the case of NFS, rpc.lockd can be used for file locking. To enable it, add this line to - /etc/rc.conf on both client - and server: + /etc/rc.conf on both client and + server: rpc_lockd_enable="YES" rpc_statd_enable="YES" @@ -796,8 +797,8 @@ rpc_statd_enable="YES" NFS client and server are already configured. - Start the application, as root, - with: + Start the application, as root, with: &prompt.root; service lockd start &prompt.root; service statd start @@ -805,8 +806,7 @@ rpc_statd_enable="YES" If locking is not required on the server, the NFS client can be configured to lock locally by passing to &man.mount.nfs.8;. - Refer to &man.mount.nfs.8; for further - details. + Refer to &man.mount.nfs.8; for further details. @@ -836,10 +836,11 @@ rpc_statd_enable="YES" - Several clients may need access to the /usr/ports/distfiles - directory. Sharing that directory allows for quick access - to the source files without having to download them to - each client. + Several clients may need access to the + /usr/ports/distfiles directory. + Sharing that directory allows for quick access to the + source files without having to download them to each + client. @@ -886,14 +887,15 @@ rpc_statd_enable="YES" /net directories. When a file is accessed within one of these directories, amd looks up the corresponding - remote mount and automatically mounts it. /net is used to mount an - exported file system from an IP address, - while /host is used to - mount an export from a remote hostname. + remote mount and automatically mounts it. + /net is used to mount an exported file + system from an IP address, while + /host is used to mount an export from a + remote hostname. For instance, an attempt to access a file within - /host/foobar/usr would - tell amd to mount the + /host/foobar/usr would tell + amd to mount the /usr export on the host foobar. @@ -901,10 +903,9 @@ rpc_statd_enable="YES" Mounting an Export with <application>amd</application> - showmount -e shows the - exported file systems that can be mounted from - the NFS server, - foobar: + showmount -e shows the exported file + systems that can be mounted from the NFS + server, foobar: &prompt.user; showmount -e foobar Exports list on foobar: @@ -914,13 +915,13 @@ Exports list on foobar: The output from showmount shows - /usr as an export. - When changing directories to - /host/foobar/usr, + /usr as an export. When changing + directories to /host/foobar/usr, amd intercepts the request and - attempts to resolve the hostname foobar. If - successful, amd automatically - mounts the desired export. + attempts to resolve the hostname + foobar. If successful, + amd automatically mounts the + desired export. amd is enabled by placing this line in /etc/rc.conf: @@ -942,8 +943,8 @@ Exports list on foobar: /etc/amd.conf defines some of the more advanced features of amd. - Consult &man.amd.8; and &man.amd.conf.5; - for more information. + Consult &man.amd.8; and &man.amd.conf.5; for more + information. @@ -1193,32 +1194,37 @@ Exports list on foobar: ellington - 10.0.0.2 + 10.0.0.2 NIS master coltrane - 10.0.0.3 + 10.0.0.3 NIS slave basie - 10.0.0.4 + 10.0.0.4 Faculty workstation bird - 10.0.0.5 + 10.0.0.5 Client machine cli[1-11] - 10.0.0.[6-17] + 10.0.0.[6-17] Other client machines @@ -1376,8 +1382,8 @@ nis_client_flags="-S NIS do NIS maps - NIS maps - are generated from the configuration files in /etc on the + NIS maps are generated from the + configuration files in /etc on the NIS master, with one exception: /etc/master.passwd. This is to prevent the propagation of passwords to all the servers in @@ -1392,8 +1398,8 @@ nis_client_flags="-S NIS do It is advisable to remove all entries for system accounts as well as any user accounts that do not need to be propagated to the NIS clients, such - as the root and any other - administrative accounts. + as the root and + any other administrative accounts. Ensure that the /var/yp/master.passwd is neither @@ -1603,8 +1609,7 @@ Remember to update map ypservers on elli Edit /etc/rc.conf and add the following lines in order to set the NIS domain name and start - &man.ypbind.8; during network - startup: + &man.ypbind.8; during network startup: nisdomainname="test-domain" nis_client_enable="YES" @@ -1618,7 +1623,8 @@ nis_client_enable="YES" /etc/master.passwd. When removing the accounts, keep in mind that at least one local account should remain and this account should be - a member of wheel. If there is + a member of wheel. If there is a problem with NIS, this local account can be used to log in remotely, become the superuser, and fix the problem. Before saving the @@ -1633,8 +1639,8 @@ nis_client_enable="YES" account on the client. There are many ways to configure the NIS client by modifying this line. One method is described in - . For - more detailed reading, refer to the book + . For more + detailed reading, refer to the book Managing NFS and NIS, published by O'Reilly Media. @@ -1728,27 +1734,27 @@ nis_client_enable="YES" Barring Some Users - In this example, the basie system - is a faculty workstation within the NIS - domain. The passwd map on the master + In this example, the basie + system is a faculty workstation within the + NIS domain. The + passwd map on the master NIS server contains accounts for both faculty and students. This section demonstrates how to allow faculty logins on this system while refusing student logins. - To prevent specified users from logging on to a - system, even if they are present in the + To prevent specified users from logging on to a system, + even if they are present in the NIS database, use vipw - to add - -username with - the correct number of colons towards the end of + to add -username with the correct number + of colons towards the end of /etc/master.passwd on the client, where username is the username of a user to bar from logging in. The line with the blocked user must be before the + line that allows NIS users. In this example, - bill is barred from logging on to - basie: + bill is barred + from logging on to basie: basie&prompt.root; cat /etc/master.passwd root:[password]:0:0::0:0:The super-user:/root:/bin/csh @@ -1824,21 +1830,24 @@ basie&prompt.root; - charlie, - delta + charlie, delta IT department apprentices echo, foxtrott, - golf, ... + golf, + ... employees able, - baker, ... + baker, + ... interns @@ -1861,7 +1870,8 @@ basie&prompt.root; war, - death, famine, + death, + famine, pollution Only IT employees are allowed to log onto these servers. @@ -1869,16 +1879,21 @@ basie&prompt.root; - pride, greed, - envy, wrath, - lust, sloth + pride, + greed, + envy, + wrath, + lust, + sloth All members of the IT department are allowed to login onto these servers. - one, two, - three, four, + one, + two, + three, + four, ... Ordinary workstations used by employees. @@ -2567,8 +2582,11 @@ result: 0 Success by the client to obtain the addressing information. &os; does not install a DHCP server, but several servers are available in the &os; Ports Collection. The - DHCP protocol is fully described in RFC 2131. - Informational resources are also available at isc.org/downloads/dhcp/. + DHCP protocol is fully described in RFC + 2131. + Informational resources are also available at isc.org/downloads/dhcp/. This section describes how to use the built-in DHCP client. It then describes how to @@ -2706,7 +2724,8 @@ result: 0 Success to act as a DHCP server using the Internet Systems Consortium (ISC) implementation of the DHCP server. This implementation and - its documentation can be installed using the net/isc-dhcp42-server package or + its documentation can be installed using the + net/isc-dhcp42-server package or port. @@ -2719,8 +2738,9 @@ result: 0 Success installation - The installation of net/isc-dhcp42-server installs a - sample configuration file. Copy + The installation of + net/isc-dhcp42-server installs a sample + configuration file. Copy /usr/local/etc/dhcpd.conf.example to /usr/local/etc/dhcpd.conf and make any edits to this new file. @@ -2898,9 +2918,10 @@ dhcpd_ifaces="dc0" one DHCP server forwards a request from a client to another DHCP server on a separate network. If this functionality is - required, install the net/isc-dhcp42-relay - package or port. The installation includes dhcrelay(8) - which provides more detail. + required, install the + net/isc-dhcp42-relay package or port. + The installation includes dhcrelay(8) which provides + more detail. @@ -2939,7 +2960,8 @@ dhcpd_ifaces="dc0" is the most common implementation of the DNS protocol. The &os; version provides enhanced security features, a new file system layout, and automated &man.chroot.8; - configuration. BIND is maintained by the isc.org. It is not + configuration. BIND is maintained by the isc.org. It is not necessary to run a name server to perform DNS lookups on a system. @@ -3028,8 +3050,8 @@ dhcpd_ifaces="dc0" - . is how the root zone is usually - referred to in documentation. + . is how the root zone is + usually referred to in documentation. @@ -3038,24 +3060,28 @@ dhcpd_ifaces="dc0" - example.org. is a + example.org. is a zone under the org. TLD. - 1.168.192.in-addr.arpa is a zone - referencing all IP addresses which fall - under the 192.168.1.* + 1.168.192.in-addr.arpa is a + zone referencing all IP addresses which + fall under the 192.168.1.* IP address space. As one can see, the more specific part of a hostname - appears to its left. For example, example.org. is more specific than - org., as org. is more specific - than the root zone. The layout of each part of a hostname is - much like a file system: the /dev directory falls within the + appears to its left. For example, example.org. is more + specific than org., as + org. is more specific than the root + zone. The layout of each part of a hostname is much like a file + system: the /dev directory falls within the root, and so on. @@ -3074,8 +3100,8 @@ dhcpd_ifaces="dc0" - A domain, such as - example.org, is + A domain, such as example.org, is registered and IP addresses need to be assigned to hostnames under it. @@ -3102,10 +3128,10 @@ dhcpd_ifaces="dc0" - When one queries for - www.FreeBSD.org, the resolver - usually queries the uplink ISP's name - server, and retrieves the reply. With a local, caching + When one queries for www.FreeBSD.org, the + resolver usually queries the uplink ISP's + name server, and retrieves the reply. With a local, caching DNS server, the query only has to be made once to the outside world by the caching DNS server. Additional queries will not @@ -3286,8 +3312,8 @@ options { name server, enabling this may be worthwhile. - 127.0.0.1 will - not work here. Change this + 127.0.0.1 + will not work here. Change this IP address to a name server at the uplink. @@ -3538,8 +3564,8 @@ zone "1.168.192.in-addr.arpa" { to named.conf. For example, the simplest zone entry for - example.org can look - like: + example.org + can look like: zone "example.org" { type master; @@ -3573,8 +3599,8 @@ zone "1.168.192.in-addr.arpa" { zone files - An example master zone file for - example.org (existing + An example master zone file for example.org (existing within /etc/namedb/master/example.org) is as follows: @@ -3677,7 +3703,8 @@ www IN CNAME example. - example.org. + example.org. the domain name, also the origin for this @@ -3686,7 +3713,8 @@ www IN CNAME example. - ns1.example.org. +